The Internet provides access to various pieces of information, applications, services, and vehicles for publishing information. Today, the Internet has significantly changed the way we access and use information. The Internet allows users to quickly and easily access services such as banking, e-commerce, e-trading, and other services people access in their daily lives.
In order to access such services, a user often shares his personal information such as name, contact details, and highly confidential information such as usernames, passwords, bank account number, credit card details, and the like, with service providers. Similarly, confidential information of companies such as trade secrets, financial details, employee details, company strategies, and the like are also stored on servers that are connected to the Internet. There is a threat that such confidential data may be accessed and leaked out by malware, viruses, spyware, key loggers, and various other methods of unauthorized access, including using legitimate tools (e.g., a remote desktop and remote processes services) that have been compromised to access or to install malware software that will allow access to such information as well as insiders (organization's users) with a bad intent to steal information from the organization. Such unauthorized access poses great danger to unwary computer users.
Recently, the frequency and complexity level of attacks has increased with respect to attacks performed against all organizations including, but not limited to, cloud providers, enterprise organizations, and network carriers. Some complex attacks, known as multi-vector attack campaigns, utilize different types of attack techniques and target network and application resources in order to identify at least one weakness that can be exploited to achieve the attack's goals, thereby compromising the entire security framework of the network.
Another type of complex attack is an advanced persistent threat (APT). An APT is an attack in which an unauthorized hacker gains access to a network and remains undetected for a long period of time. The intention of an APT attack is usually to steal data rather than to cause direct damage to the network or organization. APT attacks typically target organizations in sectors with high-value information, such as the national defense, manufacturing, retail, and financial industries.
These attacks are frequently successful because modern security solutions are not sufficiently agile and adaptive with respect to detection, investigation, and mitigation of resources needed to meet such evolving threats. Current security solutions cannot easily and promptly adapt to detect and mitigate new attack behavior, or attacks that change their behavior in a significant manner in order to evade them. In addition, current security solutions cannot easily and promptly adapt to new network technologies and topologies implemented by the entities to be protected.
For an example that illustrates some of the complexity involved with today attacks, in modern computing platforms, such virtualization and software-defined networks (SDN) face real challenges to security systems. Such platforms host an enormous number of tenants with virtual distributed and dynamic resources. Each protected entity can be removed or created in minutes and can be transformed into a malicious resource, thereby attacking its own “neighbors,” local or remote network entities.
In addition, cyber attackers currently use generic platforms, such as mobile application frameworks, web application frameworks, cloud service platforms, and specific platforms for creating malware and Bot applications for their own malicious purposes in a fast manner. These various platforms, together with the “element of surprise” that is usually on the side of the attacker, create an often unbeatable challenge for defenders. Attacks can arrive from anywhere, at any volume, and in any dynamic form.
Specifically, currently available solutions suffer from drawbacks including lack of, for example, programmability capabilities, automatic mitigation, and collaboration. For example, a security defense system that is not programmable becomes ineffective in a matter of a few days or even a few hours because such security systems fail to resist or adapt in time to any new attack behavior which aims to bypass/evade the security systems.
Moreover, current security solutions do not share attack information and detection, investigation, and mitigation solutions between different companies due to the risk of revealing confidential data of a protected entity. Solutions typically operate in “silos” where they do not share any detection, investigation, or effective mitigation means between different solutions. This lack of communication limits the ability to adapt one security system using information related to attack behavior detected by another system in another organization or same organization, which would permit the security systems to promptly react to new threats by allowing a security system that has been subject to a new threat, and successfully addressed the threat, to provide information about the security functions or applications that were used.
The ability to promptly react to new threats is particularly important in modern security applications because today's attacks evade most advanced cyber-attack detection and prevention technologies in a matter of days and sometimes even hours. Attackers behind well-organized advanced attack campaigns can analyze the security products' capabilities before and during the attack and then modify their attack tools, create new malware software, change the “route” of attack, and otherwise manipulate the attacks in ways that bypass defenses and, eventually, can be used to achieve the attacker's goal.
For a modern security expert to develop a solution, the expert should be skilled in a number of complex security techniques including, for example, control of computing resources, advanced analytics systems, and different types of security products with no standard control “language.” Additionally, such a security expert cannot realize a combination from security functions provided by different security systems and/or vendors. Typically, such functions are not programmable, and thus cannot be integrated with other functions. In addition, to define and create a new security function currently requires months of research and development. For evolving attacks and threats, these are not feasible solutions.
Therefore, the way current security solutions operate prevents the implementation of optimal security solutions that address all the security needs in organizations.
Currently, even though an ample number of security solutions, services, and functions exist, there is no platform that allows collaboration between different security solutions, services, and/or functions, collaboration in the sense of sharing security solutions rather than sharing security vulnerabilities, exploits, and attack vectors. Furthermore, there is no platform that allows reprogramming of the services and functions on the fly to handle a new or a modified version of a threat. For example, when security functions are bypassed, they cannot be reprogrammed to detect and prevent the new attack behavior (e.g., the same attack that has caused a security breach).
It would therefore be advantageous to provide a solution that would overcome the deficiencies of the prior art cyber security systems by permitting readily adaptable and customizable cyber security system and security functions.